How You Can Buy ATT TMobile and Sprint Real Time Location Data
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48389 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Video trackingDatabaseTrailUniform resource locatorMessage passingNumberGeometryFocus (optics)DatabaseData miningQuicksortCausalitySource codeOpen sourceSystem callCASE <Informatik>Computer animation
00:51
GEDCOMNumberSource codeChainScale (map)TelecommunicationSource codeOpen sourceData miningInformationSoftware developerDigitizingChainUniform resource locatorSheaf (mathematics)NumberTerm (mathematics)Figurate numberRight angleCybersexTheoryQuicksortSound effectMereologyLengthBlock (periodic table)MultilaterationFocus (optics)Google MapsService (economics)Real numberDiameterPower (physics)MotherboardLine (geometry)
04:50
TowerCellular automatonBlock (periodic table)MetreBuildingCharge carrierComputer iconTowerRoutingSystem callMessage passingInformationUniform resource locatorCellular automatonSequelCore dumpCharge carrierBuildingQuicksortSingle-precision floating-point formatCausalitySheaf (mathematics)Block (periodic table)Real numberTemplate (C++)Latent heatSkeleton (computer programming)Doubling the cubeSource codeDependent and independent variablesAddress spaceClient (computing)Figurate numberDigitizingSimilarity (geometry)Exception handlingCategory of beingNumberService (economics)1 (number)Discrepancy theorySoftwareDatabase transactionOnline helpRight angleFocus (optics)Service-oriented architectureIncidence algebraComputer animation
09:46
StatisticsPresentation of a groupPrice indexProbability density functionQuicksortCharge carrierSystem callMultiplication signInformationWebsiteService-oriented architectureUniform resource locatorXML
10:47
Identity managementFormal verificationCore dumpData integrityMobile WebEmailPasswordCellular automatonTerm (mathematics)Condition numberStaff (military)Electronic mailing listSource codeWebsiteQuicksortComputer fileSystem administratorUniform resource locatorMetropolitan area networkExistenceTrailInformationBuildingService (economics)CASE <Informatik>Service-oriented architectureTowerSoftware repositoryMultiplication signBitGreatest elementRight angleLogical constantImage registrationIP addressProduct (business)DigitizingMetreCache (computing)DistanceChainProjective planeConstructor (object-oriented programming)Free variables and bound variablesIncidence algebraNumberAddress spaceEmailSheaf (mathematics)Formal verificationDiameterINTEGRALMobile WebMultilaterationProbability density functionIdentity managementInterface (computing)Functional (mathematics)Computer configuration
18:41
IP addressInformation privacyImage registrationCausalityLoginQuicksortPasswordExistenceInformation
19:21
System administratorRule of inferenceOpen sourceQuicksortIP addressConnected spacePhysical systemMeasurementInformation security
20:24
Database transactionAddress spaceWebsitePhysical systemOpen source
20:56
CASE <Informatik>Physical lawChemical equationType theoryUniform resource locatorOnline chatFamily2 (number)Multiplication signInformationQuicksortProcess (computing)YouTubePhysical systemSystem administratorGroup actionGreatest elementShooting methodService (economics)Address spaceNumberWebsiteImage registrationComa BerenicesIP address
24:47
Cellular automatonCharge carrierGoogle MapsInformationStandard deviationConvex hullOperator (mathematics)Order (biology)Ocean currentQuicksortSimilarity (geometry)Level (video gaming)Real-time operating systemCharge carrierSystem callMoment (mathematics)Cellular automatonTowerSource codeTraffic reportingPrisoner's dilemmaWebsitePhysical systemClient (computing)Probability density functionInterface (computing)Uniform resource locatorLocal ringService (economics)Parallel portCASE <Informatik>Proper mapHypermediaOffice suiteDependent and independent variablesService-oriented architectureTriangulation (psychology)Stress (mechanics)Google MapsConnected space
30:49
Charge carrierEmailSound effectUniform resource locatorCASE <Informatik>Real-time operating systemSheaf (mathematics)Physical lawChain
31:52
EmailNumber
32:33
Daylight saving timeMobile WebVideo gameInternet service providerHoaxUniform resource locatorNumberStaff (military)Reading (process)Multiplication signMessage passingRight angleCASE <Informatik>Hacker (term)Service (economics)EmailPosition operatorClient (computing)Order (biology)Ultraviolet photoelectron spectroscopyReal numberLine (geometry)Interface (computing)Real-time operating systemInformation technology consultingProcess (computing)Power (physics)QuicksortSelectivity (electronic)Charge carrierDiameterTraffic reportingPhysical systemStructural loadMobile appMalwareSocial engineering (security)
Transcript: English(auto-generated)
00:01
Hey, so yeah, I'm Joseph Cox, a journalist, I'll elaborate on uh my affiliations in a bit. But, I'm gonna be talking about how you can buy AT&T, T-Mobile, Sprint, and in some cases Verizon data um on the black market. So, one day, I just wake up and I get this
00:23
rather ominous message. And I've kind of put it verbatim so there are some typos and stuff, but there is a new bail bond database company that is geo-tracking people. People are reselling to the wrong people, call me. And obviously I've redacted the sources um phone number because they're anonymous source. Um, we hear about government surveillance,
00:43
geo- uh geolocation tracking, all that sort of stuff all the time. Here, this is a private company selling a similar capability to private individuals, uh a particular focus of mine. And of course, reselling to the wrong people, I want to know um what this is. This source says they're in or around the bounty hunting industry and they're clearly quite
01:05
familiar with how this technology works. So we start talking, uh they only really want to discuss it on the phone. They say many people's uh rights are being violated. As we strike up a conversation, he's using terms like phone ping, which uh some of you
01:22
may know is sort of law enforcement or industry parlance for geolocating a phone. Um, source even offers if you give me a phone number, uh he will be able to locate it. That is a pretty wild claim. Uh and I was obviously very skeptical at first, but hell, why
01:40
not? Um, so I get a US phone number of someone that I know would give consent to be tracked uh with their permission, obviously. Uh but then they say if you're paying the 300 dollars. Now this is the price that a phone ping was going on the black market at the time. We'll go into uh other prices a little bit later. Uh and I say yeah, I give the
02:03
phone number, again I've redacted that, uh and when do you think it'll be doable? Uh just before I kind of uh carry on on that, we don't normally pay sources for information because if you start paying someone, they're gonna give you stuff kind of irrespective of whether it's true or not, irrespective of its veracity, so you don't want
02:22
to do that as a journalist, you only want to do stuff that's in the public interest. But here, we want to see, explore or prove whether this is even possible. You know, I mean we could talk to 3, 4, 5 people who says yes, but we want to actually see it and we want to actually geolocate a phone because if I can do that, and I'm not a bounty
02:41
hunter, I'm not a cop, uh I'm a journalist, that shouldn't be possible, theoretically. So that's why we um took that extra step. Uh and then he says yeah, I'll figure it out and get back to you. Shortly after, I get sent a Google Maps uh interface. This isn't the exact phone ping, uh I'm gonna show you genuine, real phone locations uh from bounty
03:04
hunting, bounty hunter services later. This is um similar to the one we got. Uh it geolocated to Queens New York uh to where the person was who agreed to be tracked. And as you can see, it's something like 5, 6 blocks um diameter. Uh but it was pretty
03:21
accurate. So that's the main story we're gonna focus on and it'll it'll develop from there. But just to elaborate a bit, I'm a journalist from motherboard, which is like the technology and science section of Vice. I cover the digital underground, cyber security, hacking, uh and this kind of um you know brings all of those together. And
03:43
right up top, if you have more information about location data, that's my signal number and I will put it uh at the end as well. So just to lay out sort of what I'm gonna be talking about. Obviously first, it's gonna be how my source actually managed to get that data and how we managed to track a phone um to Queens New York. The supply chain of that
04:02
location data is not as simple as me just going to T-Mobile, buying the data and then getting it there. There are various organizations, companies in sort of a trickle down effect um of how this industry actually works. And then I'm gonna show that this, it it wasn't just a one off for us. Like we didn't get lucky and like oh this is one instance
04:22
of abuse. It is uh an endemic problem. Uh and leaked documents that we got from one company specifically marketing uh to bounty hunters GLAK phones kinda shows the like wider breadth of this um issue. But then there's like a short part at the end which
04:40
shows how you can still do it today with a different method including for Verizon data um as well. And it is worryingly simple to actually get hold of that data. So what actually is the information that's being sold? I mean as the vast majority of you will know your cell phones are constantly phoning home uh to cell phone towers nearby so T-Mobile or
05:04
whoever can say hey this is where to route the text messages or where to route um the phone calls. And the byproduct of that is of course the general physical location depending on you know how close you are to the cell towers and that sort of thing. In the one we got it was a few blocks um in these ones these are real phone pings from
05:23
bounty hunter services. The one on the left is quite broad like that's not super helpful. The one on the right is I mean that's more than 5 or 6 blocks right? That is a section of a city uh but if you're a bounty hunter or if you're trying to stalk someone uh or anything really that can still be useful information. So it really really does vary the quality of the data. But it is not just cell phone tower data. There's
05:45
also assisted GPS or AGPS data. Of course this runs from the GPS chip in your phone and it's typically reserved for um emergency responders or 911 where they need to locate you uh for whatever reason if there's an incident. This is much more precise. It's not
06:03
really blocks it's more double digit figures. You know under 20 meters sometimes. Uh and sometimes it can show where someone is inside a building. Again this is a real phone ping it doesn't show where they are in the building they could be in the backyard or in the living room or whatever but they're clearly in that building. And um I did blur the
06:24
outer edge of it because I'm actually not sure if this is a fugitive or if it's someone who's the victim of stalking or abuse. Uh and that's actually sort of an issue of reporting this cause you can't always tell unless you manage to actually talk to um a victim which is uh difficult. So how the hell did um the person actually manage to
06:44
locate that phone in Queens New York which is of course the first question I kind of wanted to answer. I'm gonna give like a skeleton or a template of how it works in general but then drill down to the um specifics. So obviously it starts with the carriers AT&T T-Mobile whoever who they have this data anyway they give it to law
07:05
enforcement if they need it or if they do an over broad warrant or whatever um but one day the carriers decided we can also sell this data uh for various purposes. They then rather than just selling it straight to people uh which would be logistically difficult there would be a lot of infrastructure involved they'd have to you know set up
07:23
their own customer support or whatever. They sell um access to that data to location aggregators. And I should just say it's not like there's a sequel dump that's being sold from T-Mobile to location aggregators than someone else. It's more like they're selling the capability to look up that data via an API or whatever it may be. Um and
07:43
then when you want the data you'll look it up. It's not like um a single dump of information. But location aggregators yeah they act as this bottleneck and there's there were 3 I think there's 2 now and they purely focus on location data so they may say we want to prevent fraud with banks uh we'll we'll be able to check that hey if this person
08:03
is logging in from I don't know the Philippines or something but their phone is actually in the UK there's some sort of weird discrepancy there and maybe we could block the transaction and there's lots of use uh uses for location data. But what they do is the bottleneck then kind of expands out like an hourglass and that data access is
08:23
sold to data brokers. Now these guys don't focus just on location data, they may do address lookups, maybe phone subscriber information so you give it a phone, maybe you'll get the IMEI and you know the name and address of the person who's using it, uh sometimes license plate information and they will cater to all sorts of um
08:42
industries whoever it may be. And then you have the end user clients who are actually okay I'm gonna do this lookup and now I'm gonna find a location of a um a T-Mobile phone. And this is where a bounty hunter's gonna be or uh a property salesman or a used car salesman who also have had access to um this sort of data. So the phone we tracked uh it
09:03
just happened to be on the T-Mobile network when I was talking to my source uh they said that you can basically do any phone except Verizon so yeah we found a T-Mobile device and sent that number over. And then the way we figured this out was obviously that source was very knowledgeable about the uh industry. I ended up speaking to the location
09:20
aggregators, to other people who have used the company, other people who have used similar tools and there's even you know PDFs online that are just sitting out there. This story's kind of been out there in the open um but it kind of required the source proving it could happen to kind of bring it all together. T-Mobile sold the access to Zumigu, which is one of the two location aggregators. Uh they're the one that primarily
09:43
focuses on you know we want to prevent fraud and that sort of thing. But to give an idea of sort of companies that we're dealing with, this is a presentation that the F uh sorry that Zumigu gave to the FCC, the Federal Communications Commission a few years ago. This PDF was just online on the FCC website. And you'll see at the top it
10:02
says they're lobbying to remove the consent requirement of stating that information is being released by the carrier. When phone carriers sell this information, they do it under the prerequisite that whoever is using it is going to um seek consent. So you'll push a text message, you'll push a phone call saying hi you are about to be tracked by I
10:22
don't know uh AA, roadside assistance, something like that. Is that okay? Uh you ex- hopefully explicitly opt in uh and then there you can get your location. Here Zumigu is trying to get rid of that so you'd have to opt out of um having your location tracked at any time by any of the companies in the supply chain. They weren't successful in that
10:42
but it does give you an indication of what sort of companies um we're dealing with here. Then under that, there's a dat- uh data broker called Microbill. Um and again as I mentioned the data brokers don't just sell location data. These were doing address look ups, they weren't doing license plate uh I seem to remember but all sorts
11:03
of other um useful information you might want if you're tracking someone. Um so after the source told me about Microbills, I look around, I go on their website, I find this nice little PDF about a product called mobile device verify. Um which sounds more
11:20
innocuous than it actually is because then when you drill down it's like the geolocation lat long coordinates of the phone, the estimated location accuracy, the proximity of the location um to another one, that would be comparing it to an address, something like that. Um and then I did something else that we don't normally do, as well as paying the source to locate the phone, I also made to be honest a very crap undercover
11:44
identity, uh pretending to be a bounty hunter, just made a new email address and contacted Microbill saying hi, I'm interested in your mobile tracking product and I explicitly said I'm a bail bondsman and I want it for this purpose. They handily replied with a nice little price list and here you can see there's the location
12:02
verification which just be you pay 4.95 uh if you're looking between 1 and 2.50 phones, I think that's for per look up uh but I'd have to double check but then underneath there's the monitoring per device service. So Microbill doesn't just do individual pings but you could pay to track a phone hourly, uh daily, weekly um and potentially more granular
12:27
than that if you just pay a little bit more money. Uh I can't think of many legitimate uses of a private company selling to private individuals a constant monitoring service, the individual ping is almost defensible, I don't quite see uh the legitimate use case for a
12:44
monitoring per device and as you say it's like 12.95 there so it's exceedingly cheap to buy this data from these um from these companies. And it's not just bounty hunters so as I said Microbill caters to all these different industries but specifically with the mobile tracking product, they're doing motor vehicle se- uh sales which will be used car
13:04
salesman, car dealerships, that sort of thing. Um maybe if they're doing a background check on someone who's buying a very expensive car or I think uh definite use cases if someone is behind on their payments and maybe you need to repossess the vehicle, well we'll track their phone and then we'll find out where they are and then we will get a repo man to go get the um the car from them. Uh and then they're also
13:24
doing for property managers uh you know just people, landlords who are renting out um their buildings um I'm not entirely sure on how that data is actually uh used by them but Microbill were explicitly advertising to that market and it was explicitly the phone tracking product as well as the other ones as well. And then you get to the bottom of
13:44
the chain um and allegedly the end user was Bail Integrity Solutions. I say allegedly because I don't know, they weren't my source, it's only after our reporting Microbill did an internal investigation and they found that the the phone look up was allegedly from Bail
14:04
Integrity Solutions. There's an ongoing lawsuit there, you can go look at the public court documents and that's who they name um as the sort of bail bondsman or bounty hunter firm that was um getting access to this data. Now I'm not in that supply chain and neither is my source obviously so this is where sort of the legitimate trade, quote unquote
14:23
legitimate trade ends and the black market begins. Um Bail Integrity Solutions then gave that phone ping, the Google Maps interface to my source who gave it to me. Or another way to pull it is that I motherboard gave the phone number to my source who gave the
14:40
phone number to Bail Integrity Solutions who then triggered a look up via the Microbill API which goes up through Zumigu to to to T-Mobile, grabs the current location, brings it back down and then it gets um sent to me. Uh and just to stress, obviously I set this higher up but I should not have been able to get this data. As sketchy as bounty
15:02
hunters getting it, it's even worse if I, a completely unauthorized party was able to buy and obtain and use this data uh on the black market. So that was the one case um but as I said is not an isolated incident. So there's a website online, surcare1.com I think, you
15:22
can go look it up now, it is still there. When you visit, it looks like a normal placeholder, thank you for visiting our site, it's under construction, ok there's there's nothing really to look at here. But you go to a specific section of the site and there's a login portal. Um that red bit is just my IP address um that I uh redacted for for just making these screenshots. Uh and email address, password, you log in.
15:45
You'll you'll notice that there's no registration option. I'm not exactly sure how people join this website, invite only, uh maybe apply some other way um but you can't just go and sign up for this site which is because this is a secret website and secret
16:01
company only for serving bounty hunters. Um we haven't published these before and I appreciate they are heavily redacted. Uh but I did of course want to show you some stuff uh that we haven't been able to publish before. So my source as well as uh looking up the phone provided me with a cache of documents, various files from inside
16:22
surcare1. From what we can determine, these screenshots were taken with an administrator account of surcare1. So you log in with an admin account and you can see a list of all of the users uh who are on this website. In all, it will be around 250 bounty hunter companies which had their own accounts on this website. So
16:43
that's 250 bail integrity solutions who may be looking up for their own purposes for professional reasons. Maybe their staff fancy looking up their girlfriend's location which I have um been told happens in this industry. And there's also 250 people who may resell that access to people who aren't supposed to have it like me. Um and then it is just
17:04
like a normal functioning pretty basic website. You have numbers that you would click that would show obviously the phone number someone's looked up. Um the activity which I think actually may show the phone pings. I'm not entirely sure on that one. And then the billing, you just top up your account with maybe a thousand dollars and then we can
17:20
start pinging some phones. It's really really that simple. So you go and you click on the numbers and um including the data was obviously a list of the phone numbers that people have been geolocating. Uh on the left, those are the numbers. I had to redact them slightly. Then you have the date and the time of the look up. To the right of that you have the IP addresses which will become a bit more important later. Uh whether it was
17:44
found or not. And the sort of data that was obtained right at the end. The cell phone tower data or the AGPS data that I mentioned up top. I mean as you can see again it does vary wildly. The top one um a diameter of 582 meters. Right down to the bottom to like 3 and a half kilometers. So it's not super reliable but if you are a bounty
18:07
hunter just trying to find if someone's in I don't know Minnesota or then a particular city or even like a district of a city, this is still gonna be um pretty helpful. And then you can see the AGPS stuff right down to as I said double digit uh proximity or
18:23
accuracy. Just 13 meters uh you might be able to find someone. So I mentioned that this was a secret website um of course I'm not talking about any sort of official classification I just mean that in the terms of conditions of the site that I also got a copy of um it says that if you were using this service you would need to never reveal the website or the
18:43
company's existence to anyone. Um obviously someone broke that those terms of use. Uh thank you for doing that. But it it just goes to show you what pains they went to really really keep this under wraps as well as the hidden login portal uh and the lack of registration and the fact that it's having people to keep it uh quiet. So I mentioned the IP
19:02
addresses and they tell you when you sign up give us circa one two IPs that we can whitelist. That way you know we'll minimize abuse and we'll be able to you know keep on top of privacy uh and all that sort of thing. And they also tell you to be careful with your username and password cause obviously this is very sensitive data. Then you go
19:23
through the information, again the phone numbers, the dates and the IPs. There's more than two IPs there. Six four dot, seven one dot, one three one, eight seven. Um clearly the two IP rule is not really enforced at Sircare one. Uh leading one of my sources um to
19:43
stipulate and then some supporting evidence as well that this particular administrator of Sircare one was potentially reselling their access to the system on the black market to other people who would want it. Obviously we saw IPs from the US as you probably would expect but there were connections from Israel, uh from Lithuania, various
20:02
other places. Now obviously some of those could be VPNs, VPSs, whatever but it still goes to show the sort of lack, the lack of security measures uh on this website. And just indicative of the sort of secondary market that is going on underneath this. And I
20:24
text message, there is no phone call, there is no warning to the target device uh being pushed. So the target has no idea um they're being tracked at all. Uh and that was according to two sources familiar um with how the system worked and who had used it. And then some of it is just a normal you know payment website. People are signing up with
20:44
their personal gmail addresses. This isn't you know at legit bailbonds dot com, it's just some blokes personal gmail. Uh and you can top it up with um a couple of grand of credit and you can go and locate some phones as well. So we have, we've never shown this before. This is uh a nearly full screenshot of the Circare one um system in action. This is what
21:05
you will see when you will log in. You will look up a phone number and then this is what it will present you. Um so obviously you know there would be the phone number, the address of what the ping is, the lat long, uh the type of data in this case, a GPS, the time
21:20
and then the very nice paper ping balance at the bottom for two hundred and six uh two hundred and twenty six dollars left. Um the name at the top, Dan Grable uh I believe. He was this administrator of the um of the site uh of three admins who ran Circare one. He runs a sort of um they they sell telephone services to businesses and
21:44
that sort of thing and it appears that he was one of the accounts of Maeve being reselling access because there are all of these different IPs connecting through his um account. Uh he hasn't responded to requests for comment but if he wants to chat I'm happy to. This and and and this particular ping has um there's a story behind it. So in
22:07
May 2017 two bounty hunters are trying to track a fugitive from Minnesota. They track him somehow to this Nissan dealership just off a highway in Texas. The bounty hunters go
22:22
in, they lie to the dealership and say hi we're um US law enforcement, we're trying to apprehend someone dangerous, can we wait here for the guy to turn up the dealership, not wanting to you know interfere with a apparent law enforcement investigation, says yes sure. Uh the fugitive comes back, they confront him, weapons drawn, uh all three men are
22:44
armed, there's a brief scuffle. Uh the fugitive's gun falls out of his belt onto a desk, goes to grab it and then in about six seconds twenty shots are fired from all three guns at each other. Uh and all three men die very soon after that. Um a family uh of young
23:01
children uh with young children run away, people scream, you can go watch the uh the footage on YouTube. Um but then very strangely just shortly after um those two killings and the deaths, someone starts using Circa1 to look up the location of their bounty hunters phones and that's what this ping is. I don't think it's a coincidence that
23:23
two bounty hunters are out on the job and someone starts tracking their phones. And then just before this look up, the same account according to the data is used to look up the location of a phone from Minnesota which is where the fugitive was on the run from. We couldn't determine you know using various tools like people dot com or
23:43
various OSINT tools, we couldn't determine who that phone belonged to because it looked like it didn't really have any registration information, it seemed to be a relatively new phone. And you can maybe infer from that what you will, but we only publish what we can know right? So we we say we we weren't able to identify that apart from it being a Minnesota phone and it was before um the shooting. Very shortly before
24:04
multiple pings um before that. And it was also located after the shootings as well so that we can't really explain. Um and even if this is not a case of um oh we're looking up the location necessarily of a fugitive, it is still indicative of the sort of people
24:22
who are connected to this market of phone location data. That it's two bounty hunters who went in, they didn't take the body armor that was allegedly in their vehicle, they lied about being US law enforcement, they then got on a shootout and endangered a family of young children, they died and they killed someone as well. Um it just shows the
24:41
sort of people that are connected to this um this industry. So we had microbuilt which was the one I bought the ping from and then a while before we had the Circare 1 example I just gave. Uh and then just before that and kind of also overlapping with Circare 1, we had a service called locate your cell dot com, that's still online, you can go look it up.
25:06
And it appears this is one of the earliest examples of um private individuals selling the capability to look up um phones. So this isn't marketed to bounty hunters or roadside
25:20
assistance, it's marketed to people who lost their cell phone and they want to find it. Or it's marketed to people who maybe their, their kid went to the park and they haven't come back and they want to check they're okay or maybe their senior relative with dementia who's a bit confused and they, they didn't come home or something like that. Um the owner of this website who when you actually look into some of the who is this, who is
25:43
history and various other connectors is also uh linked to Circare 1. Uh a guy called um Frank Robito, he is quoted in like some obscure local media report from years and years ago boasting about how he used his company to help a woman find her phone that she left in a supermarket car park. Which is clearly not a uh law enforcement use or really
26:06
illegitimate use of um data or capability that is um this powerful. The, the system isn't online right now but as I said you can go to the website and you can, I think you can even create an account, I believe I tried to um but you can't actually use the lookup at
26:21
the moment because Circare 1 um was shut down, it's not exactly clear how and it appears this shared the same access or at least similar access um so this is no longer in operation either just at the moment. So you may be wondering where Verizon is in all of this, the microbuilt example where we pinged a phone as I mentioned it was only AT&T
26:45
Sprint and T-Mobile um and then from, from what I understand Verizon has taken a much stronger stance against this than the other telcos um one bounty hunter told me or sorry one bounty hunter and one other source told me that Verizon has enforced it so that
27:04
consent text or that consent call that's supposed to be pushed when you locate a phone, they're now enforcing that at the carrier level so they're not delegating that responsibility to the location aggregators or the data brokers or the end users, they're like we'll handle it, we will push the text out when you make an API request and then we will only release it um when we get the confirmation of
27:24
consent which of course is a good thing but I want to stress something that has kind of been lost in our coverage, Verizon is not innocent in this at all. Um last year uh Senator Ron Wyden's office and the New York Times did a sort of uh co-investigation or two
27:40
uh parallel investigations I'm not entirely sure but it was showing how all of the major carriers were selling the real time location data access to a company called Securus which would give it to low level law enforcement like prison guards and officials without a warrant. They would log into a Securus portal, upload a PDF of some
28:00
sort of document that kind of looked legit and then they would just let them um do the request and pull the data. Um they could do that without a warrant, they could do that without a subpoena, they could do it without any sort of court order um and Ron Wyden described it as sort of a pinky promise of ensuring this data is actually being requested properly. So there's that Securus case as well but then we also found one earlier before that and this is kind of in between secure uh Circair 1 and Securus,
28:28
they all have these really similar names, in between that. Um and as you can see right there, there's Verizon. Instantly look up the phone uh location of basically any phone in the United States. Uh again it's cell phone tower triangulation and uh GPS data if
28:44
available. You get a nice little Google Maps interface and it's only 7 panel uh $7.50 um a look up. And if it doesn't work you don't have to pay, it's all good. So this was explicitly marketing to bounty hunters as well. And I actually published this last year uh
29:02
shortly after the Ron Wyden one and nobody uh it didn't nobody really paid attention to it. I mean I was glad we got it out because I'd never heard about this before but it didn't uh it didn't get much attention. But this is the story that actually triggered the main phone pinging source at the top of the talk to come forward and say hey
29:22
there's a company that's still doing this. And this isn't just a US problem. Uh I know a lot of uh my articles especially and other people and maybe maybe talks about it are quite US focused but this is I mean it's not global but it is in other countries. So this is a screenshot from a map that someone sent me uh from a company called I think
29:44
it's Telesign uh I may have or Telesigns but they provide you know 2FA solutions. So if you want to implement some sort of turnkey solution for I need to have SMS 2FA on my website these guys will help you as far as I know. Uh they have like Salesforce um as
30:01
clients that sort of thing. And then you go on their website you look up their capabilities and their coverage and then about halfway down there phone ID current location plus which isn't exactly subtle in what it does. Obviously it provides the current location of the phone. Um and in blue are the places where they have services available. United States, Canada, India uh and then coming soon the Philippines. So when a source sent
30:26
me this of course I contacted Telesign like so where'd you get this data? That's that's pretty interesting. Uh they immediately took the map offline and replied we don't sell that data. I don't know why you have a a map online advertising this data if you don't
30:41
sell it we don't have any clients but um that's allegedly uh what they say. Um so after we did the phone pinging story where we de-located the phone um AT&T, T-Mobile and Sprint um said they were going to stop the sale of location data to all third parties. Um and as
31:04
far as we know that went into effect for all of them in May. Uh as I said Verizon had already done it but now all the major telcos are not selling uh that particular uh supply chain of location data um to anyone uh it seems. But obviously that is not the end.
31:23
As I said there is another section um on how this data uh can still be obtained uh today. So let's say you're an attacker and you want to get hold of some real time location data from a telco. All you really need to do is pose as law enforcement, you phone up the
31:43
carrier, you send them an email and you get the location data. Obviously this is a massive oversimplification so uh to give a more concrete um example, there was an uh a case a few years ago, a guy called John Edens. He is a a debt collector, when someone's behind
32:00
their payments on their cars he's tasked by an insurance company or a dealership or whatever to can you please go find a person so we can repossess this vehicle. Um he has a history of domestic violence and stalking, uh beating his wife, various other um charges and prosecutions. He had a habit of posing as um US Marshals. Um he would make some
32:24
spoof email addresses, I think he would spoof phone numbers as well and he would contact in particular T-Mobile. Um and then with that T-Mobile would handily uh reply with the location data of a number of his choosing. Um he didn't have to provide you know a
32:43
warrant or anything like that and obviously he can't because he's not actually law enforcement but he would provide fake exigent circumstances requests and this is where um law enforcement think there is you know there's a threat of life and it's too urgent to go through the normal process of going to a magistrate judge, getting a warrant, getting
33:00
that back and then we get the data. It's like a child has been kidnapped, we need this um this data immediately because there's you know imminent risk of harm. The FBI have used this um in various other ways uh in a slight different way to do you know deploy malware against um child abusers and that sort of thing. So he would contact T-Mobile, pretending to be US Marshals, he would do it on certain days or certain
33:23
times of the day. Um so particular people were working, he would build a rapport with them you know normal social engineering, wouldn't contact them when it would be um you know maybe there's someone who's quite strict and they're not gonna give out the data, he would try to avoid them um but he would get through to the right person and as you see
33:42
they would eventually eventually reply with the the lat the long uh and the handy Google Maps interface. So this is a I mean this is a screenshot from one of the documents in his court case, he was caught, he was prosecuted um I think he's out now. Um the DOJ redacted the phone number but they didn't redact the GPS coordinates so I've done
34:02
that because I think that's quite wild to put a victim of abuse's GPS coordinates in a court document but there you go. Um you can see there that the data's 2014 so that's obviously a long time ago but someone else was indicted either 2 or 3 months ago for doing the same to Verizon, to doing it to AT&T and T-Mobile um I think and
34:23
potentially Sprint as well but basically a selection of the large telcos including Verizon as far as I know. Um and people are doing this approach now today and they they may do it for their own purpose, they may do it like John Eden's did where I need to find this person, I need to track where their car is and repossess it, sure
34:43
whatever but there are people who will do this as a service and then they will sell that data um on the black market. And these are text messages uh between 2 people doing just that. So um on the left hand side is the person selling the phone pings, on the
35:00
right hand side is the um debt collector, the skip tracer saying hey here's the phone number could you look it up? And I think this is on Telegram and you can just see how casual it is. It's hey here's the phone numbers for right now, here's another phone number, they reply with the lat long um and the diameter of the look up and then thank
35:23
you smiley face. Um they may do another one but it powers the allegedly the phone's turned off so maybe they don't get a reading um and then you also see on the second screenshot on the right hand side on the you know the second message down it says for 11pm PST. Obviously if you're a bounty hunter you don't necessarily want to have a
35:44
look up um straight away. If someone's in bed say at 5am that's gonna be a pretty good time to get their real time location data or because then of course you can go maybe kick down their door or apprehend them when they're um resuspecting it. From what I understand this person was selling legitimate real genuine phone pings through that
36:05
scamming system I outlined reselling them but then when they um they lost their capabilities somehow I don't know if the telcos caught on or uh maybe there was a new staff member at the telcos something like that um they wouldn't able they weren't able to um do that any longer so they started scamming um people and saying that they
36:26
would take numbers they would allegedly do allegedly do look ups and then just send some coordinates and still take I don't know 300, 500 dollars and this has caused um a lot of issues in the bounty hunting industry with people scamming each other. And after our
36:40
coverage where the telcos stopped selling it um we've seen a spike of scams where um people will do you know quite good looking here's an order form, a pdf, we're IT consultants and we will do a look up for you um in India, in the US as well um but they are scammers. It's similar to how you know there's almost the unicorn of criminal for a
37:04
service SS7 access which does happen but when someone says or someone reports here's a tour hidden service you give them 500 bucks and you get SS7 look up it's probably gonna be a fake right? And that seems to be the case here but among the fakes there are people who are still genuinely doing this um and if you have the right contact you
37:24
could do whatever you want with that data. You you can stalk someone, you can trace your boyfriend, your girlfriend, whoever the person uh one of the clients for Securus was doing it to look up the position of a judge uh I know people who have uh allegedly done it to their ex-wives uh and again John Edens had a history of domestic
37:44
violence and when he would track someone he would turn up at their house uh be very violent, be very intimidated and just the risk of abuse here is um so great. So that's everything uh I wanted to present again if you know anything about location data, who's
38:02
buying it, who's selling it um any sort of capability there uh of course it's not just phone carriers it's apps as well if anyone can buy that data that's my signal, my wicker, my jab and my email and um I think I actually rushed through that so if anyone has any questions I'm happy to ask, if not uh if you don't want to talk to an investigative
38:21
journalist in front of a crowd of a load of hackers uh you can send me a signal message and we can meet later and thank you so much I appreciate it.